cisco nac appliance

8/12/2019 Cisco NAC Appliance

1/13

Cisco NACAppliance Overview

2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1


2/13

What Is NAC?

NetworkAdmission

Bettercriteria

Authenticate& Authorize

Scan &Evaluate

Control

network

access

Update &Remediate

Quarantine& Enforce

Where Is ItComingFrom?

What SystemIs It?

Whats thePreferred

Whats On It?Is It Running?

Who Owns It?


or Fix It?


3/13

NAC Server Foundation:

NAC Servers at the most basic level can pass traffic inone of two ways:

Bridged Mode = Virtual Gateway

=

Any NAC Server can be configured for either method,but a NAC Server can only be one at a time

Gateway mode selection affects the logical traffic path

mode, Layer 3 mode, In Band or Out of Band



4/13

Direct Bridging: Frame Comes In,Frame Goes Out

VLAN IDs are either passed

from A to B

directly to network devices on theTrusted side

NAC Server is an IP passivebump in the wire, like atrans arent firewall



5/13

NAC Server Foundation: Layer 2 Mode

NAC Servers have two client access deploymentmodels

Layer 2 Mode

Any NAC Server can be configured for either method,

but a NAC Server can only be one at a time

Deployment mode selection is based on whether theclient is Layer 2 adjacent to the NAC Server



6/13

NAC Server Foundation:

NAC Servers have two traffic flow deployment models

In BandOut of Band

Any NAC Server can be configured for either method,but a NAC Server can only be one at a time

remove the NAC Server from the data path

Assessment



7/13

Easiest deployment option

NAC Server is Inline (inthe data path) before and

Supports any switch, any

Role Based AccessControl Guest, Contractor,

Employee

ACL Filtering and


an w ro ng


8/13

Multi-Gig Throughputep oymen op on

NAC Server is Inline forPosture AssessmentOnly

Port VLAN Based and

Control

ACL Filtering and

an w t rott ng orPosture AssessmentOnly



9/13

NAC Manager (Clean Access Manager)

Centralizes management for administrators,support personnel, and operators

Serves as enforcement point for network

access control

NAC Agent (Clean Access Agent)

Optional lightweight client for device-based

Rule-set Updates

-


,critical hot-fixes and other applications


10/13

User Machine Server

Manager

DHCP Request Pre-connect (1099)

URL Redirect to Weblogin

Download NAC Agent Agent download (80)

Connect request (1099)

Connect Response (8955, 8956)

Open Web browser (if no agent)

Connect via TCP (443)

UDP Discover (8905, 8906)

Download Policy to AgentAgent checks and rules, XML (443)

User Login (443)

Certified and Logged On

Agent Performs Posture Assessment

Server Performs Access Enforcement


epor

Session and heartbeat timer (443)Logged out


11/13

-

for Critical Hotfixes

Pre-configured AVchecks for Windows

OneCare

WSUS Integration

Checks against WSUS serverCheck based on SeverityChecks for MS Office updates



12/13

. Wireless Out-of-band

FIPS Com liance

Double-Byte Support

Run Agent as a Service

NAC Radius - Phase 1

-

Mac Posture Agent

Abil ity to import/export polic ies in the CAM.

IPv6 pass-through Support

Faster/easier way to incorporate Opswat support and include additional Opswat API's.

Support for CAM/CAS Radius accounts

Support for SNMP Traps on NAC Appliance's



13/13


cisco nac appliance

Documents